diff --git a/dockerbuild/run-tests.sh b/dockerbuild/run-tests.sh
index b4ec7739..c78ad8c4 100755
--- a/dockerbuild/run-tests.sh
+++ b/dockerbuild/run-tests.sh
@@ -10,5 +10,6 @@ set -e
 
 ./vendor/bin/phpunit -v tests/AnnouncementTest.php
 ./vendor/bin/phpunit -v vendor/simplesamlphp/simplesamlphp/modules/sildisco/tests/
+./vendor/bin/phpunit -v vendor/simplesamlphp/simplesamlphp/modules/mfa/tests/
 
 /data/run-integration-tests.sh
diff --git a/modules/mfa/src/Auth/Process/Mfa.php b/modules/mfa/src/Auth/Process/Mfa.php
index a0a71a10..ca03f60c 100644
--- a/modules/mfa/src/Auth/Process/Mfa.php
+++ b/modules/mfa/src/Auth/Process/Mfa.php
@@ -912,14 +912,16 @@ public static function maskEmail(string $email): string
          * Add an '*' for each of the characters of the domain, except
          * for the first character of each part and the .
          */
-        list($domainA, $domainB) = explode('.', $domain);
+        $domainParts = explode('.', $domain);
+        $maskedDomain = '';
 
-        $newEmail .= substr($domainA, 0, 1);
-        $newEmail .= str_repeat('*', strlen($domainA) - 1);
-        $newEmail .= '.';
-
-        $newEmail .= substr($domainB, 0, 1);
-        $newEmail .= str_repeat('*', strlen($domainB) - 1);
+        foreach ($domainParts as $part) {
+            $firstCharacter = substr($part, 0, 1);
+            $maskedPart = $firstCharacter . str_repeat('*', max(strlen($part) - 1, 0));
+            $maskedDomain .= $maskedPart . '.';
+        }
+        $maskedDomain = rtrim($maskedDomain, '.');
+        $newEmail .= $maskedDomain;
         return $newEmail;
     }
 
diff --git a/modules/mfa/tests/MfaTest.php b/modules/mfa/tests/MfaTest.php
new file mode 100644
index 00000000..2f988361
--- /dev/null
+++ b/modules/mfa/tests/MfaTest.php
@@ -0,0 +1,25 @@
+<?php
+
+
+use PHPUnit\Framework\TestCase;
+use SimpleSAML\Module\mfa\Auth\Process\Mfa;
+
+class MfaTest extends TestCase
+{
+    public static function setUpBeforeClass(): void
+    {
+    }
+
+    public function testMaskEmail()
+    {
+        $this->assertEquals("j**n@e******.c**", Mfa::maskEmail("john@example.com"));
+        $this->assertEquals("j***_s***h@e******.c**", Mfa::maskEmail("john_smith@example.com"));
+        $this->assertEquals("t**t@t***.e******.c**", Mfa::maskEmail("test@test.example.com"));
+        $this->assertEquals("t@e.c*", Mfa::maskEmail("t@e.cc"));
+
+        // just to be sure it doesn't throw an exception...
+        $this->assertEquals("t**t@e******..c**", Mfa::maskEmail("test@example..com"));
+        $this->assertEquals("@", Mfa::maskEmail("@"));
+    }
+
+}